A man-in-the-middle attack occurs when an attacker sits in the middle of the communication between two victim devices, secretly relaying information back-and-forth on their behalf. It can be thought of as active eavesdropping. The attacker cannot only see the communication traveling to-and-from the victim devices, but can also inject his own malicious traffic. With this attack, the hacker possesses the ability to capture personal identifiable information, login credentials, decrypt information, and so on. Furthermore, the man-in-the-middle attack is often the initiator for more dangerous attacks. In this demonstration, I’ll be sitting in between a target device and the router/gateway on a private network using Cain & Abel. This will allow me to see the target’s Web traffic.

As you read, you can follow along on this video demonstration I put together. All the IP addresses displayed are private or not globally routable.

The information provided on the cybersecurityman is for educational purposes only. I am in no way responsible for any misuse of the information provided. All the information here is meant to provide the reader with the knowledge to defend against hackers and prevent the attacks discussed here. At no time should any reader attempt to use this information for illegal purposes.

Step 1: Open Cain & Abel

Open up Cain & Abel. Navigate to the “Sniffer” tab on the top and then click the “Start/Stop Sniffer” button on the tool bar. Then, click the “+” or “Add to list” button to the right. This is going to open up Cain & Abel’s “MAC address scanner.”

Step 2: Scan for the Target

We can use the MAC address scanner to scan all the available hosts on the network with a ARP Request broadcast storm. Since I’m on a private network (10.0.0.0/24), Cain & Abel is going to scan for all the available hosts between 10.0.0.1 and 10.0.0.254. As you recall from networking and IP addressing topics, the network ID address 10.0.0.0 and the broadcast address 10.0.0.255 are not reserved for hosts, so they won’t be matter.

Essentially, the scanner is asking each host, “who has the IP address 10.0.0.x? Please respond.” This is where x is the host address number. Every available host address should respond if they have the IP address, including our target. So, make sure the “All Tests” checkbox is selected and then click OK.

After the scan, the available hosts (their MAC address and matching IP address) should be now be displayed. The target should also be displayed: My target is 10.0.0.247.

It’s not the end of the world if your target did not show up. Just wait a few minutes and then scan again. Or, if you know the target’s IP address, you can open up the command prompt and ping it. Then scan again.

ping 10.0.0.247

The target should reply with an ICMP echo reply, and this should make it active on the network and display on Cain & Abel.

Step 3: ARP Poison

The goal of this man-in-the-middle attack is to capture the target’s Web traffic. In order to do this, I will also want to target the gateway too. A gateway is the router that sits between the internal network and the Internet; it connects to dissimilar networks together. Like most default gateways, the gateway on my network has the IP address 10.0.0.1.

While remaining on the Sniffer tab, navigate to the “APR” tab at the bottom. Click anywhere in the top pane and then click the “+” or “Add to list” sign at the top again. This will open the “New ARP Poison Routing” window. I’m going to highlight my two targets 10.0.0.247 and 10.0.0.1 and click OK. It means I’m going to intercept the traffic from the target to the gateway.

Step 4: ARP Poison the Targets

“Address Resolution Protocol (ARP)” is aprotocol for mapping an IPv4 address to a physical machine address that is recognized on the local network.

Now that ARP poisoning is set and ready-to-go, I can click the “Start/Stop APR” button on the tool bar (It’s the radioactive symbol). This will change the status from “idle” to “poisoning,” as you can see below.

So, what exactly did I just do? I modified the ARP tables in the 10.0.0.247 and 10.0.0.1 devices. If I can explain this as simple as possible, it means that our target at 10.0.0.247 thinks it’s communicating to the gateway, but it’s been fooled to communicate with me instead. In addition, the gateway at 10.0.0.1 thinks it’s communicating with the target, but it’s also been fooled to communicate with me. Make sense? I’m basically sitting right in between both devices. I did this by changing the ARP entries in the ARP tables. Here’s an example of a legitimate ARP table I pulled up with the arp -a command on my own system:

Still confused? Cain & Abel allows you to screw with the ARP entries. Let’s keep it simple here though. Let’s say 10.0.0.247 has the MAC address AAAA and 10.0.0.1 has the MAC address BBBB. Each device has an ARP table that caches the correct IP-MAC address pairs on the network. This table is an easy-access matrix for communicating to devices on the network. But, if I ARP poison these devices, I can change the entries to my own MAC address, which we’ll say is CCCC. For example, I can change the addresses, and in effect, reroute communication to my computer. So, if this is the ARP table for 10.0.0.247 below, it knows that if it wants to communicate with 10.0.0.1, it will send information to the device with the MAC address BBBB.

But, I can modify the ARP table entry and switch it with my own MAC address. Now, when 10.0.0.247 wants to communicate with the gateway at 10.0.0.1, it will send the traffic to CCCC instead, which is me.

This is what ARP poisoning does. So, let’s take a step back and picture what this man-in-the-middle attack looks like:

Step 5: Monitor

With the man-in-the-middle attack initiated, I will be able to fully re-route the traffic going back and forth from 10.0.0.247 and 10.0.0.1. So, when the target requests a Web site, that request will travel to my computer. I will then forward the traffic to the gateway, and the gateway will then forward the traffic out onto the Internet to the Web server hosting that Web site. The Web server will send back the information in a response that was to the gateway. The gateway will then forward the response to me, and then I will pass it on to the target. The target and the gateway have no idea that I’m intercepting and forwarding their traffic.

Of course, with this attack, I will be able to see everywhere the target is going on the Internet. If passwords are entered, they will show up in the passwords tab (if it’s HTTP traffic) If there is a lot of https traffic, we can decrypt it with the sslstrip tool (if applicable because some Web browsers won’t allow it).